Forum Discussion
Http auth agent against SSL backend is not allowed
I have an application that sends OTP to users from an external API but (HTTP AAA server) doesn't accept https request it shows me the following message:
In AAA HTTP server, Using Http auth agent against SSL backend is not allowed, please, create a layered virtual server with serverssl profile
I created a virtual server with external API IP on port 80 and serverssl and pool with the same external API IP but on port 443 still the APM policy didn't respond yet.
Can you give me some guidance on how to proceed?
are you stuck with this sa1eh?
i quickly built the general concept and for me it works. well i see the request at the pool member of the layered virtual server.
can you determine if the request arrives there at all?
- sa1eh
Altostratus
Yes still stuck.
Can you please explain the steps to do layered virtual server?
sure
your create a virtual server with any IP address on port 80, you use that IP address in the AAA HTTP server with http://<ip>. you attached a server ssl profile to it. the pool for that virtual server contain the actual IP address you want to send the traffic to, on port 443.
- sa1eh
Altostratus
This is service URL
https://xservices.rich.sa/RiCHClientServiceREST.svc/SendSmsLoginGet?username=???&password=???&Sender=???&Text=???&number=???
I did a virtual server with 192.168.x.x port 80 and pool with 95.177.212.58 port 443 which public IP of the service.
I followed this tutorial: https://devcentral.f5.com/s/articles/you-down-with-otp
and this is my APM policy:
and this is AAA HTTP:
- Luca_Comes
Cirrus
Hi sa1eh,
did you manage to make it working? I have the same problem but I don't understand how to configure layered VS, my SMS gateway works only via HTTPS. I really don't understand how to debug it, I hope someone can help me.
Thank you in advance
Luca
- sa1eh
Altostratus
Hi Luca
Yes still stuck I tried the solution provided by boneyard
and still nothing happening but I really think his way is right but I think I have some technical issue with how F5 is wired.
sa1eh / Luca this should not have anything to do with wiring
trouble shooting is starting with tcpdump, do you see the request?
first question, when you tcpdump, do you see the request for the 192.168.x.x ?
- Luca_Comes
Cirrus
Hi all,
if it can help I've solved my problem with the help of the customer support. In my case I've configured a VS listening in HTTP with default pool the HTTPS servers. Then I've configured my HTTP access as custom Post and modified as needed. I suggest to log the header with tcpdump and adjust the Post as needed.
Luca
thanks for sharing Luca
- Thriff
Nimbostratus
Hi,
I got our AAA HTTP Auth working with a layered VIP that also sent it through a outbound proxy, since the F5 instance itself is firewalled and can't talk directly to the internet.
Traffic flow:
HTTP AUTH -> sms_service_80 (REDIRECT) -> sms_service_443 -> outbound-proxy -> External SMS OTP service (internet)In the HTTP Auth config, set Number Of Redirects To Follow to 1 so that it accepts a redirect.
Here's a AS3 snippet of the VS config:
"sms_service_80": { "class": "Service_HTTP", "remark": "SMS Service Redirect", "virtualAddresses": [ "10.0.0.1" ], "virtualPort": 80, "persistenceMethods": [], "iRules": [ { "use": "sms-redirect.irule" } ], "snat": "auto" }, "sms_service_443": { "class": "Service_HTTPS", "remark": "SMS Service Proxy", "virtualAddresses": [ "10.0.0.1" ], "virtualPort": 443, "redirect80": false, "pool": "proxy-pool", "profileHTTP": { "use": "proxy-http" }, "clientTLS": { "bigip": "/Common/serverssl" }, "serverTLS": { "bigip": "/Common/clientssl" }, "persistenceMethods": [], "snat": "auto" }, "proxy-pool": { "class": "Pool", "monitors": [], "loadBalancingMode": "least-connections-member", "members": [ { "shareNodes": true, "adminState": "enable", "servers": [ { "name": "outbound-proxy.localdomain.com", "address": "10.1.1.1" } ], "servicePort": 8080 } ] }, "proxy-http": { "class": "HTTP_Profile", "proxyConnectEnabled": true },
And the custom redirect iRule "sms-redirect.irule" that keeps method and body intact:
when HTTP_REQUEST priority 500 { # https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections # 308 Permanent Redirect: Similar to 301, but it ensures that the method and body of the request are not changed HTTP::respond 308 Location "https://[HTTP::host][HTTP::uri]" }
You also want to either add the external SMS-service hostname as a local alias on the F5 instance with the HTTP Auth in (System ›› Configuration : Device : Hosts) and keep the FQDN in the HTTP Auth config.
E.g:Or change it with a iRule on the 443 VS, and have the local IP in the HTTP Auth config:
when HTTP_REQUEST_RELEASE priority 500 { HTTP::host "sms-service.example.com" }
Otherwise the outbound-proxy wont know where to send the request.
Hope this helps someone (:
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com